\section{Subject}\label{sec:design-subject}
A subject\index{subject} is a software component executed by the separation
kernel. Similar terms used in literature are partition, container, task or
component. Subjects constitute the majority of a system based on the Muen
kernel. They are intended to be used as the building blocks of a
component-based security system.

The main purpose of the kernel is to execute an arbitrary number of subjects,
giving them access to assigned resources and only allowing communication
between subjects via explicitly defined channels\index{channels}. The kernel
manages subject execution and treats all subjects equally.

Information related to a subject is divided into two distinct categories:

\begin{description}
	\item[Specification] encompasses all static configuration data, that is
		constant and does not change during the runtime of the system, e.g.
		assigned hardware devices and memory resources.
	\item[State] is made up of all transient values that are potentially
		modified by the execution of a subject, e.g. CPU register values.
\end{description}

\subsection{Subject Specification}
The specification defines the resources that a subject is allowed to access,
what execution environment the kernel must provide for the subject, the initial
state and of course the subject binary itself. All resources that a subject can
access, must be explicitly defined in the specification, which includes the
complete memory layout of the subject.

This information is part of the overall system specification\index{system
specification} and is fixed at integration time. It does not change during the
execution of the system. The kernel keeps this information as part of the
compiled system policy in read-only memory. Since subjects are unable to access
kernel memory, the subject specifications cannot be tampered with.

\subsection{Subject State}
Running a subject inevitably affects and changes the execution
environment\index{execution environment}. The state of a subject encompasses
all system elements that are visible to the subject. In particular this
includes the CPU registers, instruction and stack pointer as well as control
register values.

Since the kernel suspends and resumes subject execution and potentially
multiple subjects can be executed in arbitrary order, the state of the system
as viewed by the subject must be saved. The state must be restored accurately
upon resumption, otherwise the subject will not be able to execute seamlessly.

Subject management information used by the kernel during runtime is also
considered part of the subject state\index{subject state}. This includes a data
structure for storing pending interrupts to be delivered to the subject.

\subsection{Subject Profile}
Two types of subjects are distinguished:

\begin{itemize}
	\item Native applications
	\item Virtual Machine (VM\index{VM}) subjects
\end{itemize}

Each of these types is captured by so called \emph{subject
profiles}\index{subject profiles}. These profiles determine the execution
environment and architectural features (e.g.  memory management) that the
subject is allowed to use. Profiles are declared in the subject specification.
The currently supported profiles are described in the following sections.

\subsubsection{Native Subject}
A \emph{native} subject\index{native subject} is a 64-bit application, that
executes directly on the virtual processor without any supporting operating
system kernel or runtime environment. Such applications are also known as bare
bones, bare metal or bare machine.

The execution environment of the native subject profile has the following main
properties:

\begin{itemize}
	\item IA-32e/64-bit processor mode
	\item No mode switching
	\item No memory management (static paging structures)
	\item No hardware exception handling
	\item No control register access
\end{itemize}

\subsubsection{VM Subject}
A \emph{virtual machine} (VM) subject\index{VM subject} has more control over
its execution environment. The VM profile is intended for executing operating
systems such as Linux\index{Linux}.

The execution environment of the VM subject profile has the following main
properties:

\begin{itemize}
	\item Switching between 32-bit and 64-bit modes
	\item Memory management and page table management via EPT\index{EPT}
	\item Hardware exception handling
	\item Restricted control register access
\end{itemize}
